From nobody Sat Jun 01 15:09:44 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Vs3Lc5TwKz5N2VQ; Sat, 01 Jun 2024 15:09:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Vs3Lc4mMlz4L7K; Sat, 1 Jun 2024 15:09:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1717254584; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2rK/Ime0knRezH/adpBAj614z8deIPIZ38sN43FV9Bg=; b=Cgua4lrdujigLPAs15uSxZ8J/gisDuw04yjGvcMJQzh3bpnp1wR4CD35vL2gVXo07lDbye ap/e4P7ippzGiaqGAOg6u4+vbvpYmL89bYHqszlof/KpsHbUnothKKNMNe49ZJY+yr5AnH U/fa7c9z1wqshH0TEDKaxsK6xMn/ASC4YYo8oUfadVxLkjvSiSVk/zkAgxDdqeJW161Zmw hPSoiwqqUYufRKJ/XNXfU59dmypHGyMqBrEOzkXlKWl46zVjIEtnrUub07Oh6Sfk5L7uS4 lQ6AyQvecE27Z+oFyD9XRVTL6ls2zfcgp6lfVxMALLwAPv0iIxF9n0mUyoMQoQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1717254584; a=rsa-sha256; cv=none; b=KEWb5JxwMxdjlcr8IhA/1VtWCFYUjaUqEpokO7SJU2hIqT7Sx2t2D1xIyE3QF2JL+7eqSe 0oklTCKxbNK6GpCwB49F+T11u85EaEO2A2K5jh3GFOlyqTbjl4MQe7uu01GrADRmq0OM52 MbBybxekYUrfdbO8tiEILMtg/xxIjUs0mOnMV/q+WacM2m6KYSaXe0QPUvKrEFos/4DEje j7vIKoJl5CN2k61IQge3sPf2frO7rXXAeLLyNnB/gjGt4TT3zd7Zw4vKhPxzpsbxq/TRz0 8rve9sijomgWPdvIZXZXLIsY+x39JTMz24BROMC/fvjNrlQNc5dl173ORWfcew== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1717254584; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2rK/Ime0knRezH/adpBAj614z8deIPIZ38sN43FV9Bg=; b=r9keudrdrAG/VWFKW3jqdRyv76EVgsUwMLg8T/epoluVeKrqoukbU0WOKg5SW76ZpzQDyj 45GMpF3CX+wGPaX52w6LDyeZE0DItOfoQnxCOFfUW116tC1mAJsHv1UAncRcUisAkbBIEX feWfSqzL12B9xnlMmjus6MZdD7aZsfYt06tLOUG7cyjNeuacjlRNFG+9DvgjWyzlXYidJI JVI3yESuKYPOUkGKEWWjXBRPfReza93bk2uJ+yTVl9EBmYSPbyVVnFL7OSFwEPjhJBakWT dUUi25N8arLrpL5qIFYZLW5rqDPhsPSIkCfh12IMn+FD7xNhE7TDdDQ573eO1Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Vs3Lc48CRz1CDl; Sat, 1 Jun 2024 15:09:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 451F9i1J046143; Sat, 1 Jun 2024 15:09:44 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 451F9ijF046140; Sat, 1 Jun 2024 15:09:44 GMT (envelope-from git) Date: Sat, 1 Jun 2024 15:09:44 GMT Message-Id: <202406011509.451F9ijF046140@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Ed Maste Subject: git: 297bb39b6f0f - main - mitigations.7: move SSP documentation from security.7 to here List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 297bb39b6f0fcfc5d571dc77008eb7acf138d279 Auto-Submitted: auto-generated The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=297bb39b6f0fcfc5d571dc77008eb7acf138d279 commit 297bb39b6f0fcfc5d571dc77008eb7acf138d279 Author: Ed Maste AuthorDate: 2024-06-01 12:07:38 +0000 Commit: Ed Maste CommitDate: 2024-06-01 15:09:30 +0000 mitigations.7: move SSP documentation from security.7 to here Stack Smashing Protection (SSP) is a software vulnerability mitigation, and fits with this page. Add a note to the beginning of security.7 providing a more explicit cross reference to mitigations.7. Reviewed by: kevans Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45435 --- share/man/man7/mitigations.7 | 82 +++++++++++++++++++++++++++++++++++++++--- share/man/man7/security.7 | 85 +++++--------------------------------------- 2 files changed, 87 insertions(+), 80 deletions(-) diff --git a/share/man/man7/mitigations.7 b/share/man/man7/mitigations.7 index a322c9a917da..e5ff439455e3 100644 --- a/share/man/man7/mitigations.7 +++ b/share/man/man7/mitigations.7 @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd May 31, 2024 +.Dd June 1, 2024 .Dt MITIGATIONS 7 .Os .Sh NAME @@ -54,8 +54,8 @@ Write XOR Execute page protection policy Relocation Read-Only (RELRO) .It Bind Now -.\".It -.\"Stack Smashing Protection (SSP) +.It +Stack Overflow Protection .It Supervisor Mode Memory Protection .It @@ -232,7 +232,81 @@ preventing attacks on the relocation table. Note that this results in a nonstandard Application Binary Interface (ABI), and it is possible that some applications may not function correctly. .\" -.\".Ss Stack Smashing Protection (SSP) +.Ss Stack Overflow Protection +.Fx +supports stack overflow protection using the Stack Smashing Protector +.Pq SSP +compiler feature. +In userland, SSP adds a per-process randomized canary at the end of every stack +frame which is checked for corruption upon return from the function. +In the kernel, a single randomized canary is used globally except on aarch64, +which has a +.Dv PERTHREAD_SSP +.Xr config 8 +option to enable per-thread randomized canaries. +If stack corruption is detected, then the process aborts to avoid potentially +malicious execution as a result of the corruption. +SSP may be enabled or disabled when building +.Fx +base with the +.Xr src.conf 5 +SSP knob. +.Pp +When +.Va WITH_SSP +is enabled, which is the default, world is built with the +.Fl fstack-protector-strong +compiler option. +The kernel is built with the +.Fl fstack-protector +option. +.Pp +In addition to SSP, a +.Dq FORTIFY_SOURCE +implementation is supported up to level 2 by defining +.Va _FORTIFY_SOURCE +to +.Dv 1 +or +.Dv 2 +before including any +.Fx +headers. +.Fx +world builds can set +.Va FORTIFY_SOURCE +to provide a default value for +.Va _FORTIFY_SOURCE . +When enabled, +.Dq FORTIFY_SOURCE +enables extra bounds checking in various functions that accept buffers to be +written into. +These functions currently have extra bounds checking support: +.Bl -column -offset indent "snprintf" "memmove" "strncpy" "vsnprintf" "readlink" +.It bcopy Ta bzero Ta fgets Ta getcwd Ta gets +.It memcpy Ta memmove Ta memset Ta read Ta readlink +.It snprintf Ta sprintf Ta stpcpy Ta stpncpy Ta strcat +.It strcpy Ta strncat Ta strncpy Ta vsnprintf Ta vsprintf +.El +.Pp +.Dq FORTIFY_SOURCE +requires compiler support from +.Xr clang 1 +or +.Xr gcc 1 , +which provide the +.Xr __builtin_object_size 3 +function that is used to determine the bounds of an object. +This feature works best at optimization levels +.Fl O1 +and above, as some object sizes may be less obvious without some data that the +compiler would collect in an optimization pass. +.Pp +Similar to SSP, violating the bounds of an object will cause the program to +abort in an effort to avoid malicious execution. +This effectively provides finer-grained protection than SSP for some class of +function and system calls, along with some protection for buffers allocated as +part of the program data. .\" .Ss Supervisor mode memory protection Certain processors include features that prevent unintended access to memory diff --git a/share/man/man7/security.7 b/share/man/man7/security.7 index 2e690e35d534..7cb906304861 100644 --- a/share/man/man7/security.7 +++ b/share/man/man7/security.7 @@ -26,13 +26,21 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd October 5, 2023 +.Dd June 1, 2024 .Dt SECURITY 7 .Os .Sh NAME .Nm security .Nd introduction to security under FreeBSD .Sh DESCRIPTION +See +.Xr mitigations 7 +for a description of vulnerability mitigations in +.Fx . +This man page documents other +.Fx +security related topics. +.Pp Security is a function that begins and ends with the system administrator. While all .Bx @@ -939,81 +947,6 @@ option that SSH allows in its .Pa authorized_keys file to make the key only usable to entities logging in from specific machines. -.Sh STACK OVERFLOW PROTECTION -.Fx -supports stack overflow protection using the Stack Smashing Protector -.Pq SSP -compiler feature. -In userland, SSP adds a per-process randomized canary at the end of every stack -frame which is checked for corruption upon return from the function. -In the kernel, a single randomized canary is used globally except on aarch64, -which has a -.Dv PERTHREAD_SSP -.Xr config 8 -option to enable per-thread randomized canaries. -If stack corruption is detected, then the process aborts to avoid potentially -malicious execution as a result of the corruption. -SSP may be enabled or disabled when building -.Fx -base with the -.Xr src.conf 5 -SSP knob. -.Pp -When -.Va WITH_SSP -is enabled, which is the default, world is built with the -.Fl fstack-protector-strong -compiler option. -The kernel is built with the -.Fl fstack-protector -option. -.Pp -In addition to SSP, a -.Dq FORTIFY_SOURCE -implementation is supported up to level 2 by defining -.Va _FORTIFY_SOURCE -to -.Dv 1 -or -.Dv 2 -before including any -.Fx -headers. -.Fx -world builds can set -.Va FORTIFY_SOURCE -to provide a default value for -.Va _FORTIFY_SOURCE . -When enabled, -.Dq FORTIFY_SOURCE -enables extra bounds checking in various functions that accept buffers to be -written into. -These functions currently have extra bounds checking support: -.Bl -column -offset indent "snprintf" "memmove" "strncpy" "vsnprintf" "readlink" -.It bcopy Ta bzero Ta fgets Ta getcwd Ta gets -.It memcpy Ta memmove Ta memset Ta read Ta readlink -.It snprintf Ta sprintf Ta stpcpy Ta stpncpy Ta strcat -.It strcpy Ta strncat Ta strncpy Ta vsnprintf Ta vsprintf -.El -.Pp -.Dq FORTIFY_SOURCE -requires compiler support from -.Xr clang 1 -or -.Xr gcc 1 , -which provide the -.Xr __builtin_object_size 3 -function that is used to determine the bounds of an object. -This feature works best at optimization levels -.Fl O1 -and above, as some object sizes may be less obvious without some data that the -compiler would collect in an optimization pass. -.Pp -Similar to SSP, violating the bounds of an object will cause the program to -abort in an effort to avoid malicious execution. -This effectively provides finer-grained protection than SSP for some class of -function and system calls, along with some protection for buffers allocated as -part of the program data. .Sh KNOBS AND TWEAKS .Fx provides several knobs and tweak handles that make some introspection